Hi Neale,
My IPSEC rekey is set to high (2 hr). So the issue is not during rekey.
According to code, during decrypt the esp_process_ops() is called. In this
function, I had added the below print. Whenever I get integrity check
failure, I see that print in my application logs.
Once I land into this issue, it always fails. To recover I have to reset
ike and ipsecsa and establish again.
When can I see the integrity check failure in decrypt??
*Code snippet*
*========*
static_always_inline void
esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts,
int e)
{
vnet_crypto_op_t *op = ops;
u32 n_fail, n_ops = vec_len (ops);
if (n_ops == 0)
return;
n_fail = n_ops - vnet_crypto_process_ops (vm, op, n_ops);
while (n_fail)
{
ASSERT (op - ops < n_ops);
if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
{
u32 err, bi = op->user_data;
if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
{
err = e;
printf("In esp_process_ops op status =
VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC\n");
}
else
{
err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
printf("In esp_process_ops err =
ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR\n");
}
b[bi]->error = node->errors[err];
nexts[bi] = ESP_DECRYPT_NEXT_DROP;
n_fail--;
}
op++;
}
}
On Mon, Aug 2, 2021 at 1:06 PM Neale Ranns <ne...@graphiant.com> wrote:
>
>
> Hi Vijay,
>
>
>
> No I don’t see random failures. Do they occur during a rekeying event?
>
>
>
> /neale
>
>
>
> *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Vijay
> Kumar via lists.fd.io <vjkumar2003=gmail....@lists.fd.io>
> *Date: *Monday, 2 August 2021 at 08:43
> *To: *vpp-dev <vpp-dev@lists.fd.io>
> *Subject: *Re: [vpp-dev] Regarding IPsec errors "Integrity failure" and
> "Unsupported payload"
>
> Hi Neale,
>
>
>
> Do you have any suggestions for this problem.
>
> Did you face this random issue anytime?
>
>
>
>
>
>
>
>
>
> On Sat, Jul 31, 2021 at 7:05 PM Vijay Kumar via lists.fd.io <vjkumar2003=
> gmail....@lists.fd.io> wrote:
>
> Hi Neale,
>
>
>
> I am testing data traffic b/w Strongswan and VPP but sometimes data
> traffic is dropped in *esp4-decrypt-tun *graph node. Sometimes it is
> dropped with "Integrity failure" while sometimes it is "Unsupported
> payload"
>
>
>
> But if I delete the tunnel and re-establish IPSec SA, then it works fine.
>
>
>
> I have ensured the configuration w.r.t PSK, Proposals and TS is fine.
> Also, I confirmed that the adjacencies(routes) for the Strongswan are fine
> on the VPP side.
>
>
>
> Version I am using is pasted below.
>
>
>
> Could I be missing something? These are random issues.
>
>
>
>
>
> vpp# show version
>
> *vpp v20.05.1-2*~g44ff05906-dirty built by an-vijay_kumar on 56d1c81f572a
> at 2021-07-30T15:54:16
>
>
>
>
>
>
>
> Regards.
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19889): https://lists.fd.io/g/vpp-dev/message/19889
Mute This Topic: https://lists.fd.io/mt/84569833/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
